Security

Business Connect is a secure government digital platform that undergoes regular system security recertification, testing, and operates under strict controls.
 
Since its launch in November 2019, Business Connect has successfully passed multiple independent system security certification assessments. The platform is certified to handle information classified up to IN-CONFIDENCE. 
 
A System Security Certificate is available upon request and provides the necessary assurance for verifying and accrediting Business Connect for use.

We secure the product in a few ways

To provide a secure platform, Business Connect restricts access by:

• using the latest secure sockets layer (SSL) and transport layer security (TLS) standards
• using multi-factor authentication for the production environment of the back-end admin portal
• doing regular security patching and periodic penetration testing
• aligning with the Control Validation Plan and approval defined by the Ministry of Business, Innovation and Employment (MBIE).

To verify end users’ data and identity, Business Connect:

• integrates with the individual’s RealMe Login accounts and verifies the user by email
• requires users to declare that data they have entered is true and correct, when they submit an application to an organisation via Business Connect.

To protect business data and information housed in Business Connect:

• data is used only to the extent necessary to provide the services
• technical and other reasonable safeguards are maintained, including suitable virus protection, to protect data from destruction, unauthorised access, misuse or disclosure
• relevant data protection laws are followed
• the security requirements in the New Zealand Information Security Manual (NZISM) are followed
• privacy breaches will be reported and managed as soon as we learn about them.

You still need to do several things

You still need to take extra steps to check the identity of the applicant or business, if your organisation requires you to.

Business Connect has already obtained a system security certificate which can help with your internal security risk assessment.

Assurance processes have specifically identified the following considerations for councils and agencies:

• Carry out your own risk assessment on information security, as with other technology that multiple agencies use to support business outcomes. Base your assessment on your own business context, risk appetite, and handling of personally identifiable information (PI) stored within Business Connect.
• Ensure all data to be collected is classified as IN-CONFIDENCE or UNCLASSIFIED by considering and assessing the potential harm should its confidentiality, integrity or availability be compromised. It is important to get classification right so that information is not:
  • over-classified making its access or dissemination inappropriately restricted
  • under-classified making it at-risk of being compromised and creating harm.
• Determine, implement, and validate your requirements, so you can manage staff access appropriately. Ensure that access ends when staff leave your organisation.
• Check if the current level of disaster recovery is suitable for you, if you intend to use Business Connect for critical processes.
• Regular access audits to ensure access provided to staff members is appropriate.
• Consider information governance requirements:
  • Ensure there is a process for transferring submitted data into a source-of-truth system. (Business Connect is not a system of record)
  • Who is the data owner?
  • What are data retention requirements?
• Complete a privacy assessment.